mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00

Files

Toni de la Fuente 2b2814723f Prowler 2.7.0 - Brave (#998 )

* Extra7161 EFS encryption at rest check

* Added check_extra7162 which checks if Log groups have 365 days retention

* fixed code to handle all regions and formatted output

* changed check title, resource type and service name as well as making the code more dynamic

* Extra7161 EFS encryption at rest check

* New check_extra7163 Secrets Manager key rotation enabled

* New check7160 Enabled AutomaticVersionUpgrade on RedShift Cluster

* Update ProwlerRole.yaml to have same permissions as util/org-multi-account/ProwlerRole.yaml

* Fix link to quicksight dashboard

* Install detect-secrets (e.g. for check_extra742)

* Updating check_extra7163 with requested changes

* fix(assumed-role): Check if -T and -A options are set

* docs(Readme): `-T` option is not mandatory

* fix(assume-role): Handle AWS STS CLI errors

* fix(assume-role): Handle AWS STS CLI errors

* Update group25_FTR

When trying to run the group 25 (Amazon FTR related security checks) nothing happens, after looking at the code there is a misconfiguration in 2 params: GROUP_RUN_BY_DEFAULT[9] and GROUP_CHECKS[9]. Updating values to 25 fixed the issue.

* Update README.md

broken link for capital letters in group file (group25_FTR)

* #938 issue assume_role multiple times should be fixed

* Label 2.7.0-1December2021 for tests

* Fixed error that appeared if the number of findings was very high.

* Adjusted the batch to only do 50 at a time. 100 caused capacity issues. Also added a check for an edge case where if the updated findings was a multiple of the batch size, it would throw an error for attempting to import 0 findings.

* Added line to delete the temp folder after everything is done.

* New check 7164 Check if Cloudwatch log groups are protected by AWS KMS@maisenhe

* updated CHECK_RISK

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added checks extra7160,extra7161,extra7162,extra7163 to group Extras

* Added issue templates

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* New check 7165 DynamoDB: DAX encrypted at rest @Daniel-Peladeau

* Fix #963 check 792 to force json in ELB queries

* Fix #957 check 763 had us-east-1 region hardcoded

* Fix #962 check 7147 ALTERNATE NAME

* Fix #940 handling error when can not list functions

* Added new checks 7164 and 7165 to group extras

* Added invalid check or group id to the error message #962

* Fix Broken Link

* Add docker volume example to README.md

* Updated Dockerfile to use amazonlinux container

* Updated Dockerfile with AWS cli v2

* Added upgrade to the RUN

* Added cache purge to Dockerfile

* Backup AWS Credentials before AssumeRole and Restore them before CopyToS3

* exporting the ENV variables

* fixed bracket

* Improved documentation for install process

* fix checks with comma issues

* Added -D option to copy to S3 with the initial AWS credentials

* Cosmetic variable name change

* Added $PROFILE_OPT to CopyToS3 commands

* remove commas

* removed file as it is not needed

* Improved help usage options -h

* Fixed CIS LEVEL on 7163 through 7165

* When performing a restoreInitialAWSCredentials, unset the credentials ENV variables if they were never set

* New check 7166 Elastic IP addresses with associations are protected by AWS Shield Advanced

* New check 7167 Cloudfront distributions are protected by AWS Shield Advanced

* New check 7168 Route53 hosted zones are protected by AWS Shield Advanced

* New check 7169 Global accelerators are protected by AWS Shield Advanced

* New check 7170 Application load balancers are protected by AWS Shield Advanced

* New check 7171 Classic load balancers are protected by AWS Shield Advanced

* Include example for global resources

* Add AWS Advance Shield protection checks corrections

* Added Shield actions GetSubscriptionState and DescribeProtection

* Added Shield actions GetSubscriptionState and DescribeProtection

* docs(templates): Improve bug template with more info (#982)

* Removed echoes after role chaining fix

* Changed Route53 checks7152 and 7153 to INFO when no domains found

* Changed Route53 checks 7152 and 7153 title to clarify

* Added passed security groups in output to check 778

* Added passed security groups and updated title to check 777

* Added FAIL as error handling when SCP prevents queries to regions

* Label version 2.7.0-6January2022

* Updated .dockerignore with .github/

* Fix: issue #758 and #984

* Fix: issue #741 CloudFront and real-time logs

* Fix issues #971 set all as INFO instead of FAIL when no access to resource

* Fix: issue #986

* Add additional action permissions for Glue and Shield Advanced checks @lazize

* Add extra shield action permission

Allows the shield:GetSubscriptionState action

* Add permission actions

Make sure all files where permission actions are necessary will have the same actions

* Fix: Credential chaining from environment variables @lazize #996f

If profile is not defined, restore original credentials from environment variables,
if they exists, before assume-role

* Lable version 2.7.0-24January2022

Co-authored-by: Lee Myers <ichilegend@gmail.com>
Co-authored-by: Chinedu Obiakara <obiakac@amazon.com>
Co-authored-by: Daniel Peladeau <dcpeladeau@gmail.com>
Co-authored-by: Jonathan Lozano <jonloza@amazon.com>
Co-authored-by: Daniel Lorch <dlorch@gmail.com>
Co-authored-by: Pepe Fagoaga <jose.fagoaga@smartprotection.com>
Co-authored-by: Israel <6672089+lopmoris@users.noreply.github.com>
Co-authored-by: root <halfluke@gmail.com>
Co-authored-by: nikirby <nikirby@amazon.com>
Co-authored-by: Joel Maisenhelder <maisenhe@gmail.com>
Co-authored-by: RT <35173068+rtcms@users.noreply.github.com>
Co-authored-by: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com>
Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr>
Co-authored-by: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
Co-authored-by: Leonardo Azize Martins <lazize@users.noreply.github.com>

2022-01-24 13:49:47 +01:00

docs

Update: Documentation reference

2021-09-13 16:14:35 -05:00

data.tf

Update: Documentation reference

2021-09-13 16:14:35 -05:00

main.tf

Prowler 2.7.0 - Brave (#998 )

2022-01-24 13:49:47 +01:00

outputs.tf

Update: Documentation reference

2021-09-13 16:14:35 -05:00

prowler_build_spec.yml

Update: Documentation reference

2021-09-13 16:14:35 -05:00

readme.md

fix readme for terraform kickstarter

2021-11-13 14:48:16 +01:00

tf_install.sh

Update: Documentation reference

2021-09-13 16:14:35 -05:00

variables.tf

Update: Documentation reference

2021-09-13 16:14:35 -05:00

readme.md

Install Security Baseline Kickstarter with Prowler

Introduction

The following demonstartes how to quickly install the resources necessary to perform a security baseline using Prowler. The speed is based on the prebuilt terraform module that can configure all the resources necessuary to run Prowler with the findings being sent to AWS Security Hub.

Install

Installing Prowler with Terraform is simple and can be completed in under 1 minute.

Start AWS CloudShell

Run the following commands to install Terraform and clone the Prowler git repo

git clone https://github.com/singergs/prowler.git
git fetch
cd prowler
git checkout -t origin/terraform-kickstarter
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
sudo yum -y install terraform
cd util/terraform-kickstarter

Issue a terraform init
Issue a terraform apply
- It is likely an error will return related to the SecurityHub subscription. This appears to be Terraform related and you can validate the configuration by navigating to the SecurityHub console. Click Integreations and search for Prowler. Take noe of the green check where it says Accepting findings

Thats it! Install is now complete. The resources included a Cloudwatch event that will trigger the AWS Codebuild to run daily at 00:00 GMT. If you'd like to run an assessment after the deployment then simply navigate to the Codebuild console and start the job manually.

Terraform Resources

Requirements

Name	Version
aws	~> 3.54

Providers

Name	Version
aws	3.56.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_rule.prowler_check_scheduler_event	resource
aws_cloudwatch_event_target.run_prowler_scan	resource
aws_codebuild_project.prowler_codebuild	resource
aws_iam_policy.prowler_event_trigger_policy	resource
aws_iam_policy.prowler_kickstarter_iam_policy	resource
aws_iam_policy_attachment.prowler_event_trigger_policy_attach	resource
aws_iam_policy_attachment.prowler_kickstarter_iam_policy_attach	resource
aws_iam_role.prowler_event_trigger_role	resource
aws_iam_role.prowler_kick_start_role	resource
aws_s3_bucket.prowler_report_storage_bucket	resource
aws_s3_bucket_policy.prowler_report_storage_bucket_policy	resource
aws_s3_bucket_public_access_block.prowler_report_storage_bucket_block_public	resource
aws_securityhub_account.securityhub_resource	resource
aws_securityhub_product_subscription.security_hub_enable_prowler_findings	resource
aws_caller_identity.current	data source
aws_iam_policy.SecurityAudit	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
codebuild_timeout	Codebuild timeout setting	`number`	`300`	no
enable_security_hub	Enable AWS SecurityHub.	`bool`	`true`	no
enable_security_hub_prowler_subscription	Enable a Prowler Subscription.	`bool`	`true`	no
prowler_cli_options	Run Prowler With The Following Command	`string`	`"-q -M json-asff -S -f us-east-1"`	no
prowler_schedule	Run Prowler based on cron schedule	`string`	`"cron(0 0 ? * * *)"`	no
select_region	Uses the following AWS Region.	`string`	`"us-east-1"`	no

Outputs

Name	Description
account_id	n/a

readme.md

Install Security Baseline Kickstarter with Prowler

Introduction

Install

Terraform Resources

Requirements

Providers

Modules

Resources

Inputs

Outputs

Kickoff Prowler Assessment From Install to Assessment Demo (Link to YouTube)